From 10a8488f9aa68d44197ab3ebf9a9146c82d3ba68 Mon Sep 17 00:00:00 2001 From: Kyle Harding Date: Fri, 27 Sep 2024 15:28:10 -0400 Subject: [PATCH] Specify whether to persist credentials on checkout action Signed-off-by: Kyle Harding --- .github/actions/codeql-analysis/action.yml | 4 +++- .github/actions/publish-docker/action.yml | 14 ++++++++------ .github/workflows/create-pre-release.yml | 8 +++++--- .github/workflows/create-release.yml | 6 +++++- .github/workflows/deploy-k8s.yml | 14 ++++++++------ .github/workflows/node-ci.yml | 2 ++ .github/workflows/rc-release.yml | 16 ++++++++++------ 7 files changed, 41 insertions(+), 23 deletions(-) diff --git a/.github/actions/codeql-analysis/action.yml b/.github/actions/codeql-analysis/action.yml index 735cba94..f3c62211 100644 --- a/.github/actions/codeql-analysis/action.yml +++ b/.github/actions/codeql-analysis/action.yml @@ -3,12 +3,14 @@ description: 'Perform code scanning for vulnerabilities' inputs: languages: description: 'CodeQL Languages' - required: true + required: true runs: using: "composite" steps: - name: 'Checkout repository' uses: actions/checkout@v3 + with: + persist-credentials: false - name: 'Initialize CodeQL' uses: github/codeql-action/init@v2 with: diff --git a/.github/actions/publish-docker/action.yml b/.github/actions/publish-docker/action.yml index 79a335af..a840d9dc 100644 --- a/.github/actions/publish-docker/action.yml +++ b/.github/actions/publish-docker/action.yml @@ -1,15 +1,15 @@ name: 'Publish Docker' description: 'Publish to Docker' inputs: - docker_username: + docker_username: description: 'Docker user' required: true - docker_password: + docker_password: description: 'Docker Password' required: true - tag: + tag: description: 'Image tag ' - required: true + required: true default: 'user/app:latest' outputs: imageid: @@ -19,6 +19,8 @@ runs: using: "composite" steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Setup node uses: actions/setup-node@v3 with: @@ -28,7 +30,7 @@ runs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 - name: Login to DockerHub - uses: docker/login-action@v1 + uses: docker/login-action@v1 with: username: ${{ inputs.DOCKER_USERNAME }} password: ${{ inputs.DOCKER_PASSWORD }} @@ -59,4 +61,4 @@ runs: file: ./Dockerfile push: true tags: | - ${{ inputs.tag }} + ${{ inputs.tag }} diff --git a/.github/workflows/create-pre-release.yml b/.github/workflows/create-pre-release.yml index d9df78ba..c5e18f62 100644 --- a/.github/workflows/create-pre-release.yml +++ b/.github/workflows/create-pre-release.yml @@ -26,7 +26,7 @@ on: - rc - snapshot required: false - + env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} @@ -39,6 +39,8 @@ jobs: release: ${{ steps.prerelease.outputs.release }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup node uses: actions/setup-node@v4 with: @@ -48,7 +50,7 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Log in to the Container registry - uses: docker/login-action@v3 + uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -65,7 +67,7 @@ jobs: run: | docker image inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:main-enterprise - run: echo "${{ github.ref }}" - - name: Tag a final release + - name: Tag a final release id: prerelease uses: actionsdesk/semver@0.6.0-rc.10 with: diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml index 55421620..158c28ff 100644 --- a/.github/workflows/create-release.yml +++ b/.github/workflows/create-release.yml @@ -17,6 +17,8 @@ jobs: release: ${{ steps.finalrelease.outputs.release }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup node uses: actions/setup-node@v4 with: @@ -26,7 +28,7 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Log in to the Container registry - uses: docker/login-action@v3 + uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -72,6 +74,8 @@ jobs: steps: - name: Clone repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Prepare run: | diff --git a/.github/workflows/deploy-k8s.yml b/.github/workflows/deploy-k8s.yml index 171e43a3..94653b4c 100644 --- a/.github/workflows/deploy-k8s.yml +++ b/.github/workflows/deploy-k8s.yml @@ -1,13 +1,13 @@ name: Deploy to Kubernetes -on: +on: workflow_dispatch: inputs: status: - description: 'Status of the previous workflow' + description: 'Status of the previous workflow' required: true default: 'passed' release: - description: 'Release tag from the previous workflow' + description: 'Release tag from the previous workflow' required: true env: DOCKER_IMAGE_NAME: yadhav/safe-settings @@ -20,7 +20,7 @@ env: permissions: id-token: write - + jobs: deploy-to-k8s: if: ${{ github.event.inputs.status == 'passed' }} @@ -29,11 +29,13 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - uses: azure/login@v1 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - uses: azure/aks-set-context@v3 with: resource-group: ${{env.AZURE_RESOURCE_GROUP}} @@ -67,4 +69,4 @@ jobs: images: ${{env.IMAGE_REGISTRY_URL}}/yadhav/safe-settings:${{ github.event.inputs.release }} imagepullsecrets: | image-pull-secret - kubectl-version: 'latest' + kubectl-version: 'latest' diff --git a/.github/workflows/node-ci.yml b/.github/workflows/node-ci.yml index d599430e..f83dea2f 100644 --- a/.github/workflows/node-ci.yml +++ b/.github/workflows/node-ci.yml @@ -12,6 +12,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup node uses: actions/setup-node@v4 with: diff --git a/.github/workflows/rc-release.yml b/.github/workflows/rc-release.yml index e00e8716..231788c6 100644 --- a/.github/workflows/rc-release.yml +++ b/.github/workflows/rc-release.yml @@ -1,5 +1,5 @@ # Simple workflow for deploying static content to GitHub Pages -name: RC Release +name: RC Release on: pull_request: @@ -24,6 +24,8 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Use Node.js uses: actions/setup-node@v4 with: @@ -31,8 +33,8 @@ jobs: cache: npm - run: npm ci - run: npm run build --if-present -# - run: npm test -- -u - - name: Tag a rc release +# - run: npm test -- -u + - name: Tag a rc release if: ${{ !github.event.pull_request.head.repo.fork }} id: rcrelease uses: actionsdesk/semver@0.6.0-rc.10 @@ -40,7 +42,7 @@ jobs: prerelease: withBuildNumber prelabel: rc commitish: ${{ github.head_ref }} - + image: name: Build and push Docker image runs-on: ubuntu-latest @@ -48,7 +50,7 @@ jobs: permissions: contents: read packages: write - + env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} @@ -56,6 +58,8 @@ jobs: steps: - name: Check out the repo uses: actions/checkout@v4 + with: + persist-credentials: false - run: echo ${{ github.actor }} @@ -86,7 +90,7 @@ jobs: platforms: linux/amd64,linux/arm64 provenance: false sbom: false - + # package: # needs: [rcrelease] # runs-on: ubuntu-latest